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DETAILED ACTION 

Response to Arguments 

1 . In communications filed on 5/7/2007, applicant has amended claims 46 and 64. The 
following claims 46-70 are presented for examination. 

1.1 Applicant's arguments, see pages 6-7, filed on 5/7/2007, with respect to the objection of 
claim 56 and the 1 12 th rejection of claims 58-59 and 61-62 have been fully considered and are 
persuasive. The objection of claim 56 and the 1 12 th rejection of claims 58-59 and 61-62 have 
been withdrawn. 

2. Applicant's arguments, filed on 5/7/2007, with respect to the art rejection of claims 46-70 
have been fully considered, and they are persuasive as amended. In response to applicant's 
request to provide documentation regarding Examiner's notice that it would have been an 
obvious modification to one of ordinary skill in the art to use plurality of processing engines to 
perform the process in parallel as to improve latency and performance, Examiner includes 
several prior art documents that perform parallel processing of data packets within a device. 
Applicant has further amended claims 46 and 64 to more particularly point out the invention. 
Upon further consideration, new grounds of rejection are set forth below. 

Double Patenting 
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3. The nonstatutory double patenting rejection is based on a judicially created doctrine 
grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or 
improper timewise extension of the "right to exclude" granted by a patent and to prevent possible 
harassment by multiple assignees. See In re Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. 
Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 
F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel All F.2d 438, 164 USPQ 619 (CCPA 
1970);and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to 
overcome an actual or provisional rejection based on a nonstatutory double patenting ground 
provided the conflicting application or patent is shown to be commonly owned with this 
application. See 37 CFR 1.130(b). 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal 
disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 
CFR 3.73(b). 

3.1 Claims 46, 64, and the intervening claims are provisionally rejected under the judicially 
created doctrine of obviousness-type double patenting as being unpatentable over claims 25-26 
and 28-58 of copending Application No. 10/218,206. Although the conflicting claims are not 
identical, they are not patentably distinct from each other because all the limitations of 
independent claims 46 and 64 are present in the copending application. For instance, 
independent claim 25 of the copending application is also directed to a plurality of security 
processing engines receiving security information for a plurality of packets, which could be 
interpreted as different packets. 
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This is a provisional obviousness-type double patenting rejection because the conflicting claims 
have not in fact been patented. 

3.2 Claims 46, 64, and the intervening claims are provisionally rejected under the judicially 
created doctrine of obviousness-type double patenting as being unpatentable over claims 24-44 
of copending Application No. 09/610,798. Although the conflicting claims are not identical, 
they are not patentably distinct from each other because all the limitations of independent claims 
46 and 64 are present in the copending application. For instance, independent claims 24 and 26 
of the copending application are also directed to a plurality of security processing engines 
receiving security information for a plurality of packets, which could be interpreted as different 
packets. 

This is a provisional obviousness-type double patenting rejection because the conflicting claims 
have not in fact been patented. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
2 1 (2) of such treaty in the English language. 
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Claims 64-65 are rejected under 35 U.S.C. 102(e) as being anticipated by US Patent 
6,484,257 to Ellis. 

As per claim 64, Ellis discloses a method for classifying data packets during security 
processing in a server (device) comprising: receiving in a gateway server at least a portion of a 
header for each data packet in a plurality of data packets the gateway server strips and 
preappends data associated with each packet in a plurality of packets that meets the recitation of 
determining security association information associated with each data packet in the plurality of 
data packets, for example (see column 8, lines 33-36 and 58-66 and fig. 5A); Ellis discloses 
providing new header information for different packets and NAT table update to a plurality of 
agents that meets the recitation of for each data packet in the plurality of data packets providing 
at least a portion of the security association information associated with the data packets to a 
corresponding security processing engine in a plurality of security processing engines in the 
device that are configured to perform authentication, encryption, or decryption functions wherein 
at least two of the plurality of security processing engines receive security association 
information for different packets (see column 8, lines 33-36 and column 8, line 58 through 
column 9, line 28, and fig. 5A); Ellis discloses wherein the plurality of security processing 
engines are configured to process a plurality of the data packets in parallel (see column 9, lines 
8-12 and lines 29-43 and fig. 7). 
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As per claim 65, Ellis discloses the limitation of wherein the step of determining security 
association information comprises accessing a database to determine security association 
information (see column 6, lines 13-25). 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject matter 
sought to be patented and the prior art are such that the subject matter as a whole would have 
been obvious at the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by the manner in which 
the invention was made. 

Claims 46-63 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,484,257 to Ellis in view of US Patent 6,708,273 to Ober et al. 

As per claim 46, Ellis substantially discloses a server (device) comprising: a gateway 
server that strips and preappends data associated with each packet in a plurality of packets that 
meets the recitation of classification module determines security association information 
associated with each data packet in a plurality of data packets, for example (see column 8, lines 
33-36 and 58-66 and fig. 5A); Ellis discloses a plurality of agents coupled to the gateway server 
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configurable to perform authentication, encryption, or decryption functions that meets the 
recitation of a plurality of processing engines (agents) coupled to the classification module 
(gateway server ) configurable to perform authentication, encryption, or decryption functions 
(see column 8, line 66 through column 9, line 20); and discloses providing new header 
information for different packets and NAT table update to a plurality of agents that meets the 
recitation of wherein the classification module is configured to provide at least a portion of the 
security association information associated with the data packets to the plurality of security 
processing engines wherein at least two of the plurality of security processing engines receive 
security association information for different packets (see column 8, lines 33-36 and column 8, 
line 58 through column 9, line 28, and fig. 5A); Ellis discloses wherein the plurality of security 
processing engines are configured to process a plurality of the data packets in parallel (see 
column 9, lines 8-12 and lines 29-43 and fig. 7). Ellis does not explicitly disclose the server 
agent and the other agents being in the same device. Ober et al in an analogous art teaches a 
cryptographic co-processor implemented on a standard chip having encryption and hash circuits 
and other circuits (see column 2, lines 32-65 and column 5, lines 25-48) within the same device 
for processing cryptographic operations in parallel (see column 6, lines 4-12). Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
implement the multiple agents in Ellis into one single device as taught by Ober et al. The 
motivation to do so is given by Ober et al who teaches that the plurality of encryption engines 
make it possible to add security to various processing applications. Hardware such as encryption 
and hash circuits are provided and structured to work together to provide accelerated 
encryption/decryption capabilities as suggested by Ober et al (see column 2, lines 32-65). 
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As per claims 47-48, the references as combined above disclose the limitation of further 
comprising a database including security association information wherein the database is local to 
the classification module, and wherein the database includes one or more entries wherein each 
entry defines information associated with one security association, for example (see Ellis, 
column 6, lines 14-25). 

As per claim 49, the references as combined above disclose the limitation of wherein the 
database is located on the same chip as the classification module, for example (see Ellis, column 
6, lines 14-25). 

As per claim 50, the references as combined above disclose the claimed device of claim 
46. Ellis further discloses IPSec protocol for implementing security association information 
which meets the recitation of wherein the security association information includes a sequence 
number an anti-replay window and a lifetime of the security association, one of ordinary skill in 
the art would recognize these properties as part of IPSec security protocol information (see Ellis, 
column 3, lines 15-64). 

As per claim 51, the references as combined above disclose the limitation of wherein the 
security association information further includes an encapsulating security payload (ESP) 
encryption algorithm identifier and one or more ESP encryption keys, for example (see Ellis, 
column 3, lines 15-64). 
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As per claims 52-53, the references as combined above disclose the limitation of wherein 
the security association information further includes an (ESP) authentication algorithm identifier 
and one or more ESP authentication keys and an authentication header (AH) authentication 
algorithm identifier and one or more AH authentication keys, for example (see Ellis, column 3, 
lines 15-64). 

As per claim 54, the references as combined above disclose the limitation of wherein the 
security association information includes protocol mode information, for example (see Ellis, 
column 3, lines 15-64). 

As per claim 55, the references as combined above disclose wherein the database is 
stored in memory (see Ellis, column 6, lines 14-25). It is implicit that the database in the server 
is stored in memory. 

As per claim 56, the references as combined above disclose the claimed device of claim 
55 and discloses that the invention may be performed using any type of memory or data storage 
(see Ellis, column 9, lines 15-22). Ellis does not explicitly disclose that the memory is contact 
addressable memory. A contact addressable memory (CAM) is well known in the art for very 
fast table lookups since the data items are not accessed based on memory address or location but 
by analysis of content. Therefore, it would have been an obvious modification to one of ordinary 
skill in the art to use such memory for very fast table lookups. 
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As per claim 57, the references as combined above disclose the claimed device of claim 
55 and further discloses wherein the memory is random-access memory (see Kaplan, figure 1). 

As per claims 58-59 and 61, the references as combined above disclose the claimed 
device of claim 46. It is obvious to one of ordinary skill in the art that the invention as 
combined above can be implemented in different communication device such as router, firewall, 
or gateway device to provide routing table computations and network management (see Ellis, 
column 8, lines 33-36 and column 9, lines 29-43 and fig. 7). 

As per claim 60, the references as combined above disclose the claimed device of claim 
46 and further discloses wherein the device is a network communication device (see Ellis, 
column 8, lines 58-66). 

As per claim 62, the references as combined above disclose the claimed device of claim 
46 and further discloses wherein the device is a server (see Ellis, column 8, lines 58-66). 

As per claim 63, the references as combined above disclose the limitation of wherein the 
device is a network line card, for example (see Ober et al, abstract). 

6. Claims 66-70 are rejected under 35 U.S.C. 103(a) as being unpatentable over US Patent 
6,484,257 to Ellis in view of US Patent 6,760,444 to Leung. 
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As per claims 66-67, Ellis substantially discloses the claimed method of claim 65. Ellis 
discloses a routing table but is silent about using one or more selectors to identify a security 
association information entry in the database. Leung in an analogous art discloses wherein the 
step of determining security association information comprises accessing a database to determine 
security association information (see column 6, lines 13-28) and further comprises using one or 
more selectors to identify a security association information entry in the database wherein the 
one or more selectors include at least one of a destination IP address, a security protocol 
identifier and a security protocol identifier and a security parameter index, for example (see 
column 7, lines 25-37; column 3, lines 6-12). Therefore, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made to use selectors to identify security 
association in the database because since a table contains one-to-many or many-to-many 
relationship of security information using an identifier would allow rapid retrieval of information 
since a secret key and other information may be associated with one identifier as suggested by 
Leung. 

As per claims 68-69, the references as combined above disclose the limitation of wherein 
the one or more selectors include a destination IP address, a source IP address and a transport 
layer protocol and wherein one or more selectors further include a source port and a destination 
port (see Leung, column 7, lines 25-37 and column 9, line 52 through column 10, line 40) this is 
well-known in the art as included in IP header for performing IPsec processing and also 
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disclosed in RFC 2401, "Security Architecture for IP" in Applicant's disclosure. Therefore, 
these claims are rejected on the same rationale as the rejection of claims 66-67 above. 

As per claim 70, the references as combined above disclose updating or generating new 
security association in a database of the server to store security association information for the 
Home Agent that meets the recitation of wherein the step of determining security association 
information comprises if no security association information exists in the database associated 
with the packet, generating the security association information and storing the security 
association information in an entry in the database, for example (see Leung, column 7, line 50 
through column 8, line 40). Therefore, this claim is rejected on the same rationale as the 
rejection of claims 66-67 above. 

Conclusion 

7. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

7.1 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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